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1.  SUMMARY 


This  Final  Technical  Report  summarizes  the  major  research  activities  and  findings  for 
the  performance  period  of  the  research  Grant:  August  01,  201 1  to  September  30,  2011. 
The  work  undertaken  involved  the  investigation  of  applying  Elliptic  Curve  group 
pairing-based  Zero-Knowledge  Protocols  ZKP  to  the  problem  of  authentication  in 
tactical  airborne  networks. 
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2.  INTRODUCTION 


The  Airborne  Network  (AN)  uses  a  heterogeneous  set  of  physical  links  to  interconnect 
space,  terrestrial  and  highly  mobile  airborne  platforms.  Acting  as  a  wireless  backbone, 
the  airborne  network  delivers  infonnation  to  wireless  units  in  an  on-demand  manner, 
and  such  infonnation  is  periodically  updated  by  satellites,  ground  base  stations  and 
wireless  tactical  units.  From  the  network  perspective,  given  the  dynamically  changing 
topology  and  the  bandwidth-limited  channel  conditions,  it  will  be  critical  to  develop 
effective  link  access  protocols  and  routing  protocols  which  can  accommodate  the 
unique  characteristics  of  the  Airborne  Network. 

The  research  along  this  direction  in  mobile  ad  hoc  networks  received  much 
attention,  and  many  efficient  and  viable  solutions  have  been  proposed  [1-5].  From  the 
service  perspective,  as  a  large  amount  of  sensitive  data  is  stored  in  the  wireless 
backbone,  data  security  naturally  becomes  a  big  concern.  For  instance,  data  reported 
by  military  satellites  and  reconnaissance  aircraft  are  closely  related  to  privacy  issues 
and  should  be  accessible  only  to  authorized  units/users.  Moreover,  in  hostile 
environments,  attackers  may  successfully  breach  the  network  defenses  and  cause 
damage  to  the  ANs  to  a  certain  extent,  e.g.,  the  attackers  may  disrupt  the  central 
authority  (CA),  on  which  the  entities  in  ANs  rely  to  authenticate  each  other  for  data 
access  functionality,  and/or  the  attackers  may  deplete  the  energy  reserves  of  the  nodes 
and  render  them  dysfunctional. 

These  considerations  motivate  us  to  develop  more  robust  and  efficient 
authentication  and  access  control  mechanisms  in  airborne  networks. 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 

2 


3.  METHODS,  ASSUMPTIONS  and  PROCEDURES 


In  symmetric  key  cryptography  (SKC)  based  approaches,  authentication  is  realized  by 
using  the  same  key  for  authentication,  and  data  encryption/decryption.  However,  it  is 
necessary  to  know  all  network  members  a  priori  and  pre-con  figure  a  secret  key  for 
every  pair  of  wireless  nodes,  which  leads  to  scalability  problems. 

3.1  SKC  &  PKC  Based  Approaches  for  Authentication  in  Airborne  Networks 

Compared  to  SKC-based  solutions,  public  key  cryptography  (PKC)  based  approaches 
use  digital  signatures  for  authentication,  and  can  provide  better  data  access  security  by 
encrypting  data  with  a  recipient’s  public  key,  where  the  compromise  of  the  storage 
units  will  not  jeopardize  the  data  security.  However,  the  common  approach  of  using  a 
single  certificate  authority  (CA)  for  certifying  every  public  key  is  impractical  given  a 
large  number  of  users.  Actually,  when  using  the  public  key  infrastructure  (PKI)  for 
authentication,  it  is  required  that  all  entities  obtain  a  PKI  certificate  from  a  CA,  in 
order  to  access  the  system  functions  (e.g.,  data  access). 

In  the  authentication  process,  the  verifier  node  first  uses  the  CA’s  public  key  to 
verify  the  prover  node’s  certificate,  and  then  uses  the  prover  node’s  public  key  to 
verify  its  identity.  This  solution  has  several  drawbacks: 

(1)  The  amount  of  calculation  is  very  large.  Due  to  the  lack  of  computing  power  or 
energy  after  attacks,  the  network  nodes  may  not  be  able  to  afford  such  overhead. 

(2)  It  creates  a  single  point  of  failure.  The  CA  could  become  the  target  of  attacks,  and 
if  it  fails  the  entire  authentication  system  will  stop  working. 

(3)  It  requires  a  three-way  exchange  of  infonnation  among  the  verifier  node,  prover 
node  and  the  CA.  If  the  CA  is  not  available  after  attack,  the  nodes  that  do  not 
have  the  public  key  of  the  CA  cannot  perform  authentication. 

For  these  reasons,  there  is  a  critical  need  for  more  lightweight,  efficient  and  robust 
authentication  mechanisms  that  can  accommodate  the  unique  characteristics  of  the 
airborne  network  and  have  a  dynamic  capability  to  survive  or  recover  from  malicious 
attacks. 
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3.2  Use  of  ZKP  based  on  the  Factoring  Problem  Over  Zn 

In  cryptography,  Zero-Knowledge  Protocols  (ZKP)  allow  identification,  key  exchange, 
and  other  basic  cryptographic  operations  to  be  implemented  without  leaking  any 
user-identity  infonnation  during  the  conversation  and  with  smaller  computational 
requirements  than  using  comparable  public  key  protocols.  Specifically,  a  ZKP  has  the 
following  properties: 

(1)  The  verifier  cannot  leam  anything  from  the  protocol.  That  is,  no  knowledge  is 
transferred. 

(2)  The  prover  cannot  cheat  the  verifier.  That  is,  without  knowing  the  verifier’s 
cryptographically  derived  credentials  i.e.,  private  (key)  infonnation,  the  prover 
can  only  succeed  with  a  great  amount  of  good  luck. 

(3)  The  verifier  cannot  cheat  the  prover.  That  is,  the  only  thing  the  verifier  can  do  is  to 

convince  himself  that  the  prover  knows  the  private  (key)  infonnation. 

These  features  are  correlated  with  each  other,  and  together  with  the  lighter 
computational  requirements,  make  zero-knowledge  protocols  very  attractive  in 
authentication  services  in  airborne  networks.  In  this  section,  we  use  the 
Guillou-Quisquater  (GQ)  protocol  [6]  to  demonstrate  the  application  of  ZKP  in 
authentication  services. 

The  key  idea  of  anonymous  communication  is  to  provide  privacy  among  a  group 
of  participants,  each  of  which  is  allocated  a  share  of  a  secret.  In  a  typical  (k, 
n)-threshold  secret  sharing  scheme,  any  combination  of  less  than  k  secret  shares 
reveals  no  information  regarding  the  secret.  On  the  other  hand,  no  more  than  k  out  of 
n  shares  are  required  to  fully  recover  the  secret.  Obviously,  this  property  can  be  used 
to  enhance  the  system  dependability.  In  the  proposed  scheme,  we  use  the  verifiable 
secret  sharing  (VSS)  [7]  scheme  to  detect  the  invalid  or  corrupted  shares  due  to 
attacks. 

Bootstrapping  Phase: 

1 .  A  trusted  authority  T  selects  two  random  primes  p  and  q  and  forms  a 
modulus  n  =  p  •  q. 

2.  T  defines  a  public  exponent  v  >  4  with  gcd(v,  (p  -  l)(g  -  1))  =  1  so  that  T 
can  compute  5  =  v  -  1  mod  4 (p  -  l)(g  -  1). 

3.  T  publishes  parameters  n  and  v. 
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4.  A  node  A  has  a  unique  identification  Id(A).  Everyone  can  calculate  a 
value  J(A)  =/ ( \d(A))  mod  n  (the  redundant  identity). 

5.  T  gives  to  node  A  the  secret  data  where  sccrct(d)  =  J(A)~S,  which  it  can  calculate. 

This  is  one  time  setup  process.  The  secret  5  is  used  to  generate  scorch'd )  for  node  A 
authentication. 

Secret  Distribution: 

1 .  A  cyclic  group  G  of  prime  order  p'  with  a  generator  g  of  G  is  chosen  publicly 
as  a  system  parameter,  where p'  satisfies  s  <p'. 

2.  T  generates  shares  P{  1), .  .  .  ,  P(n)  and  distributes  to  each  node  one  value, 
where  P(x)  =  s+ai  x+.  .  .  +a,  x  is  a  random  polynomial  of  degree  t  and 
P( 0)  =  s  is  the  original  secret. 

3.  T  computes  and  publishes  commitments  to  the  coefficients  of  P, 

•  „  s  al  at 

i.e.,  c0  =  g  ,  ci  =g  ,...,ct=g  . 

Authentication  Phase: 

Node  A  proves  his  identity  to  node  B  using  t  rounds,  each  of  which  consists  of: 

1 .  A  selects  a  random  secret  r  and  sends  his  identity  Id(d)  and  x  =  rv  mod  n  to  B. 

2.  B  selects  a  random  challenge  e  in  {1,2, ...,  v}. 

3.  A  computes  and  sends  the  following  response  to  B:  y  =  r  ■  secret(d)e  mod  n. 

4.  B  receives  y,  constructs  J(A)  =f  (Id(d))  mod  n,  computes  z  =  ,J(A  f  yv, 
and  accepts  this  round  if  z  =  x  mod  n. 

System  Recovery  Phase: 

Even  if  T  is  not  available,  the  nodes  that  survive  attacks  can  reconstruct  the 
authentication  system.  Assume  a  node  C  initiates  the  recovery  process. 

1.  C  uses  the  authentication  protocol  to  verify  the  validity  of  its  neighbor  nodes.  C 
should  also  authenticate  itself  to  others. 

2.  If  authentication  succeeds,  each  node  further  verifies  the  integrity  of  its  own  share: 
node  i  that  holds  u  =  P(i)  checks  if  the  following  equation  holds: 


u  i 1 

g  =  c0c[ 


...cl  - 


=  nUsajiJ  =gp(i)- 


(i) 
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3.  If  k  -  1  nodes  pass  the  authentication  and  integrity  verification  processes,  C 
generates  a  temporary  public/private  key  pair  (kpub  ,  kpri  ).  C  broadcasts  the  request  for 
secret  shares  and  the  self-generated  public  key  kpub  to  the  verified  nodes. 

4.  Each  node  encrypts  its  stored  secret  share  using  C’s  temporary  public  key  kpub  and 
sends  to  C. 

5.  C  decrypts  the  received  shares.  After  retrieving  (i,  P(i ))  of  all  i  in  B  (B  is  the  set  of 
the  k  -  1  share  holders),  C  applies  the  Lagrange  interpolation  formula  to  reconstruct: 


s  where  bt  =  • 

J  *• 


(2) 


Analysis.  The  bootstrapping  and  secret  distributions  are  both  one-time  setup 
processes.  T  would  no  longer  be  involved  in  the  system  after  the  private  keys  have 
been  issued.  In  the  authentication  process,  all  legitimate  entities  obtain  a  unique  pair 
(«/(.4),secret(/l)).  The  verifier  B  offers  a  hard  problem  (i.e.,  factoring  extremely  large 
numbers).  Only  if  the  prover  A  knows  the  solution  to  the  hard  mathematical  problem 
can  he  be  able  to  provide  any  of  the  solutions  asked  for.  The  proposed  scheme  has  the 
following  properties: 

1 .  Compared  to  public  key  based  protocols,  the  proposed  protocol  does  not  need  to 
validate  the  certificate  before  communication.  Furthermore,  the  authentication 
protocol  can  achieve  the  same  results  with  approximately  one  to  two  orders  of 
magnitude  less  computing  power  [8].  That  implies  the  authentication  can  still 
work  even  with  limited  energy  after  certain  energy  depletion  attacks.  Thus, 
efficiency  is  achieved. 

2.  This  is  a  distributed  protocol.  The  centralized  authority  T  is  not  involved  in  the 

system  after  the  boot-strapping  process.  The  nodes  can  authenticate  each  other 
solely  based  on  their  (J(/4),secret(/4))  pairs,  without  interacting  with  T .  Moreover, 
the  coalition  of  a  certain  number  of  nodes  can  reconstruct  the  secrets  and 
collaboratively  act  as  T,  so  as  to  configure  and  generate  authentication 
infonnation  for  the  newly  joined  nodes.  By  using  VSS  the  individual  nodes  can 
also  verify  the  integrity  of  their  stored  secret  shares  before  secret  reconstruction. 
Hence,  both  the  system  availability  and  dependability  are  enhanced  compared  to 
a  centralized  approach. 

Such  efficient  and  robust  mechanisms  will  greatly  enhance  the  data  security/privacy  of 
current  versions  of  airborne  networks. 
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4.  RESULTS  AND  DISCUSSIONS 


4.1  A  Proposed  Solution  Using  ZKP  based  on  Pairing-based  Cryptography 

Recently,  it  has  been  shown  that  the  practically  efficient  constructions  of  ZKPs  that 
are  based  on  standard  intractability  assumptions  come  from  pairing 
based-cryptography  [9-12],  where  a  pairing  is  used  between  elements  of  two 
cryptographic  groups  to  a  third  group  to  construct  cryptographic  systems.  If  elliptic 
curve  (EC)  groups  [13,  14]  are  utilized  as  the  cryptographic  groups,  solving  the 
discrete  log  problem  over  elliptic  curves  takes  exponential  time  as  compared  to  ZKP 
protocols  where  the  security  of  the  system  usually  relies  on  the  hardness  of  the 
discrete  logarithm  problem  over  sub-exponential  solving  times  [15]. 

The  use  of  pairing-based  ZKP  on  elliptic  curves  can  potentially  enhance  the 
security  strength  of  the  system.  On  the  other  hand,  compared  to  ZKP  protocols  based 
on  the  factoring  problem  over  Zn,  pairing-based  ZKPs  can  also  integrate  smoothly 
with  other  pairing-based  cryptographic  schemes  (e.g.,  identity-based  encryption, 
pairing-based  signatures,  key  agreement,  and  proxy  re-encryption),  making  the 
combined  schemes  quite  efficient.  So  it  is  envisioned  that  pairing-based  ZKPs  will 
have  a  wide  application  in  constructing  cryptographic  systems  with  various 
functionalities. 

4.2  Bilinear  maps  and  Pairings 

A  bilinear  map  is  a  map  e  :  G  x  G  — >•  Gj  ,  where  G  is  a  Gap  Diffie-Hellman  (GDH) 
group  and  GT  is  another  multiplicative  cyclic  group  of  prime  order  p  with  the 
following  properties:  (i)  Computable:  there  exists  an  efficiently  computable  algorithm 
for  computing  e\  (ii)  Bilinear:  for  all  hi  ,  h2  e  G  and  a,  b  £  Z  p  ,  h^)  =  e{hi , 

hj  )ab  ;  (iii)  Non-degenerate:  e(g,  g)=£l,  where  g  is  a  generator  of  G. 

The  proposed  authentication  scheme  using  ZKP  based  on  pairings  is  as  follows: 
Bootstrapping  Phase: 

1 .  A  trusted  authority  T  chooses  s  as  the  secret  and  computes  a  private  key  for  node  i 
as  /z(Id(z'))s ,  where  h  is  a  hash  function.  Assume  /z(Id(z'))  =  g"  . 

2.  T  publishes  gai  =  h(Id(z'))  and  gs . 
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3.  A  node  A  with  unique  identification  Id  (A)  get  its  private  key  h(\d(A))s  =  gaAs  and 
public  key  (g,  gaA  =h(\d(A)),  vA  =  e(g,  g)aA  '  =  e(h(\d(A)),  g  )). 


Secret  Distribution: 

1.  A  cyclic  group  G  of  prime  order  p'  with  a  generator  g  of  G  is  chosen  publicly  as  a 
system  parameter,  where p'  satisfies  s  <  p'. 

2.  T  generates  shares  P{  1),  .  .  .  ,  P( n)  and  distributes  each  node  one  value,  where 
P(x )  =  s+ai  x+.  .  .+a,  x  is  a  random  polynomial  of  degree  t  and  P(0)  =  s  is  the 
original  secret. 

3.  T  computes  and  publishes  commitments  to  the  coefficients  of  P,  i.e.,  cq  =  g\  and 


Authentication  Phase: 

Node  A  proves  his  identity  to  node  B  using  t  rounds,  each  of  which  consists  of: 

1 .  A  selects  a  random  secret  r  e  [0,  p]  and  computes  WA  =  e(g,  g)r.  A  sends  Id(A) 
and  W,j  to  B. 

2.  B  selects  a  random  challenge  c  in  [0,  2k  ]  and  sends  it  to  A. 

3.  A  computes  and  sends  the  following  response  to  B :  YA  =  grx  (gaAs)°. 

4.  B  receives  YA  and  verify  e(g,  YA  )  =  WA  x  vc  ,  and  accepts  this  round  if  it  is  true. 


System  Recovery  Phase: 


Even  if  T  is  not  available,  the  nodes  that  survive  attacks  can  reconstruct  the 
authentication  system.  Assume  a  node  C  initiates  the  recovery  process. 

1.  C  uses  the  authentication  protocol  to  verify  the  validity  of  its  neighbor  nodes.  C 
should  also  authenticate  itself  to  others. 

2.  If  authentication  succeeds,  each  node  further  verities  the  integrity  of  its  own  share: 
node  i  that  holds  u  =  P(z)  checks  if  the  following  equation  holds: 


gu 


cnc 


oLi 


=  gP(°. 


(3) 


3.  If  k  -  1  nodes  pass  the  authentication  and  integrity  verification  processes,  C 
generates  a  temporary  public/private  key  pair  (kpub  ,  kpri).  C  broadcasts  the  request  for 
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secret  shares  and  the  self-generated  public  key  Apu b  to  the  verified  nodes. 

4.  Each  node  encrypts  its  stored  secret  share  using  C’s  temporary  public  key  Apub 
and  sends  to  C. 

5.  C  decrypts  the  received  shares.  After  retrieving  (/,  P(z'))  of  all  i  in  B  (B  is  the  set 
of  the  k  —  1  share  holders),  C  applies  the  Lagrange  interpolation  formula  to 
reconstruct: 


S  =  T,i€Bbi  P( 0.  Where  bi  =  UjEB,j*iT~  •  (4) 

Analysis.  We  now  analyze  the  efficiency  of  the  proposed  scheme  in  terms  of 
computational  complexity,  focusing  on  the  number  of  group  exponentiations  or 
bilinear  map  pairing  evaluations,  which  are  the  most  computationally  extensive 
operations.  During  the  authentication  process,  at  the  prover  side,  the  number  of  group 
exponentiations  is  approximately  two  (note  that  c  is  a  k-bit  number  which  is 
significantly  smaller  than  p),  and  the  number  of  evaluations  of  bilinear  mapping  is 
zero;  At  the  verifier  side,  the  number  of  group  exponentiations  can  be  neglected  since 
c  is  very  small,  and  the  number  of  evaluations  of  bilinear  mapping  is  only  one. 

Implementation.  We  next  evaluate  the  pairing-based  authentication  scheme  in  Linux. 
Our  experiment  is  conducted  using  C  on  a  system  with  an  Intel  Core  2  processor 
running  at  2.4  GHz,  768  MB  RAM,  and  a  7200  RPM  Western  Digital  250  GB  Serial 
ATA  drive  with  an  8  MB  buffer.  The  authentication  algorithms  are  implemented  using 
the  Pairing-Based  Cryptography  (PBC)  library  version  0.4.21  [16]  and  the  crypto 
library  of  OpenSSL  version  0.9.8h.  All  the  curve  groups  we  work  on  have  a  160-bit 
group  order.  All  results  are  the  averages  of  100  trials.  Table  1  lists  all  the  pairing 
parameters  for  different  elliptic  curve  types. 


Table  1:  Description  of  all  the  pairing  parameters  for  different  elliptic  curve  types. 


Elliptic  curve  type 

Base  field  size  (bits) 

Embedding  degree  k 

Dlog  security 

a 

2 

1024 

d„ 

11 

6 

6n 

e 

1024 

1 

1024 

f 

160 

12 

1920 

gn 

11 

10 

10// 

C\ 

1024 

2 

2048 

As  suggested  in  [16],  a  type  a  curve  can  achieve  fastest  pairing  and  is  good  for 
cryptosystems  where  group  element  size  is  not  critical;  a  type  d„  curve  is  good  for 
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cryptosystems  when  group  elements  must  be  as  short  as  possible;  a  type  e  curve  can 
be  easily  found  and  requires  only  modular  arithmetic  to  implement;  a  type  f  curve  is 
useful  for  insuring  against  future  finite  field  discrete  log  algorithm  improvements;  a 
type  gn  curve  runs  slower  than  embedding  degree  12  pairings;  and  a  type  al  curve  is 
useful  when  some  cryptosystems  need  the  curve  order  to  be  a  specific  number.  Table  2 
shows  the  experimental  results  using  different  elliptic  curve  types. 


Table  2:  Time  complexity  of  operations  during  the  authentication  phase. 


Operations 

Elliptic  curve  type 

II 

YA=gr*  (g?nc 

e(g,  Ya)  =  W A  x  C, 

a 

13.7ms 

12.6ms 

8.3ms 

dn 

15.6ms 

3.6ms 

18.0ms 

e 

43.3ms 

31.2ms 

28.5ms 

f 

75.1ms 

3.7ms 

89.9ms 

gn 

44.9ms 

3.4ms 

54.8ms 

a\ 

296.6ms 

199.9ms 

21 1.7ms 

Note:  we  set  n  =  159  for  type  dn  curves  and  n  =  149  for  type  g„  curves. 


As  we  can  see,  the  operations  perfonned  in  the  authentication  phase  using 
pairing-based  cryptography  are  efficient.  And  the  use  of  a  and  dn  curve  types  for 
pairing-based  operations  can  achieve  a  better  average  time  efficiency  than  the  others. 
In  practice,  however,  it  is  more  preferable  to  choose  dn  type  curves  since  the  base  field 
size  of  dn  (n  =  159)  is  smaller  than  that  of  type  a  curve,  i.e.,  the  corresponding  size  of 
group  elements  in  type  d  1 59  curves  is  smaller. 


4.3  Integration  of  Pairing-based  ZKP  and  Attribute-based  Encryption  (ABE) 

Recently,  the  notion  of  ABE,  which  was  proposed  by  Sahai  and  Waters  [17],  has 
attracted  much  attention  in  the  research  community  for  designing  flexible  and  scalable 
access  control  systems.  For  the  first  time,  ABE  enables  public  key  based  one-to-many 
encryption.  Therefore,  it  is  envisioned  as  a  highly  promising  public  key  primitive  for 
realizing  scalable  and  fine-grained  access  control  systems,  where  differential  yet 
flexible  access  rights  can  be  assigned  to  individual  users. 

To  address  complex  and  general  access  policy,  two  kinds  of  ABE  have  been 
proposed:  Key-Policy  ABE  (KP-ABE)  [18,  19]  and  Ciphertext-Policy  ABE  (CP-ABE) 
[20-22],  In  KP-ABE,  access  policy  is  assigned  in  attribute  private  keys,  whereas,  in 
CP-ABE,  the  access  policy  is  specified  in  the  ciphertext. 
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In  KP-ABE,  data  are  associated  with  attributes,  and  for  each  a  public  key 
component  is  defined.  The  encrypter  associates  the  set  of  attributes  to  the  message  by 
encrypting  it  with  the  corresponding  public  key  components.  Each  user  is  assigned  an 
access  structure,  which  is  usually  defined  as  an  access  tree  over  data  attributes,  i.e., 
interior  nodes  of  the  access  tree  are  threshold  gates  and  leaf  nodes  are  associated  with 
attributes.  The  access  tree  is  constructed  using  iterative  secret  sharing  techniques 
between  different  layers  of  nodes,  and  the  user  secret  key  consisting  of  a  set  of  secret 
key  components  is  defined  to  reflect  the  access  structure.  Thus,  only  if  the  attributes 
associated  with  a  ciphertext  satisfy  the  user  key’s  access  structure  can  the  user  recover 
the  root  secret  and  further  decrypt  the  data.  This  access  tree  can  support  very 
expressive  types  of  control. 

Given  that  airborne  distributed  data  storage  and  access  systems  are  moving  fast 
toward  network  centric  architectures  [23],  we  can  integrate  pairing-based  ZKP  and 
attribute-based  encryption  (ABE)  [18]  to  design  a  unified  authentication  and  data 
access  control  system  in  a  single  public  key  cryptography  context  (i.e.,  using  the  same 
elliptic  curve  groups).  Specifically,  to  achieve  fine-grained  data  access  control,  we 
propose  to  explore  key-policy  attribute-based  encryption  (KP-ABE)  [18]  that 
cryptographically  binds  files  to  their  policies  and  seamlessly  integrates  the  access 
structure  with  data  encryption  such  that  only  users  possessing  the  requisite  set  of 
attributes  are  able  to  access  the  data. 

Key-Policy  ABE  (KP-ABE):  A  KP-ABE  scheme  is  composed  of  four  algorithms 
which  can  be  defined  as  follows: 

Setup:  This  algorithm  takes  as  input  a  security  parameter  k  and  the  attribute  universe 
U=  {1,  2,  .  .  .  ,  N}  of  cardinality  N.  It  defines  a  bilinear  group  Gi  of  prime  order  p 
with  a  generator  g,  a  bilinear  map  e  :  Gi  xGi  -WE  which  has  the  properties  of 
bilinearity,  computability,  and  non-degeneracy.  It  returns  the  public  key  PK  as  well  as 
a  system  master  key  MK  as  follows: 

PK  =  (T,  T] ,  T2 , . . . ,  Tn) 

MK  =  (y,  t] ,  t2  ,  .  .  . ,  tN  ),  (5) 

where  Gi  and  U  £  Zp  are  for  attribute  i,  1  <  i  <  N,  and  Y  £  G2  is  another  public 
key  component.  We  have  7]  =  g"  and  Y  =  e(g,  gf\ y  G  Zp.  While  PK  is  publicly  known 
to  all  the  parties  in  the  system,  MK  is  kept  as  a  secret  by  the  authority  party  T. 
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Encryption:  This  algorithm  takes  a  message  M,  the  public  key  PK,  and  a  set  of 
attributes  /  as  input.  It  outputs  the  ciphertext  E  with  the  following  fonnat: 


E  =  (I,E,{Ei}ieI),  (6) 

where  E  =  MY1,  Ej  =  Tf,  and  s  is  randomly  chosen  from  Z,p . 

Key  Generation:  This  algorithm  takes  as  input  an  access  tree  T,  the  master  key  MK, 
and  the  public  key  PK.  It  outputs  a  user  secret  key  SK  as  follows.  First,  it  defines  a 
random  polynomial  pi  (x)  for  each  node  i  of  T  in  the  top-down  manner  starting  from 
the  root  node  r.  For  each  non-root  node  j,  /;/())  =  pv arent(j)  (idx(/))  where  parent(/) 
represents  f  s  parent  and  idx(/)  is  f  s  unique  index  given  by  its  parent.  For  the  root 
node  r,p,{ 0)  =  y.  Then  it  outputs  SK  as  follows: 

SK  =  {sk  }/e  L,  (7) 


Pj(  0) 

where  L  denotes  the  set  of  attributes  attached  to  the  leaf  nodes  of  T  and  sk,  =  g  7  . 

Decryption:  This  algorithm  takes  as  input  the  ciphertext  E  encrypted  under  the 
attribute  set  /,  the  user’s  secret  key  SK  for  access  tree  T,  and  the  public  key  PK.  It  first 
computes  e(Eh  skj)  =  e(g,  g/"l0,s  for  leaf  nodes.  Then,  it  aggregates  these  pairing 
results  in  a  bottom-up  manner  using  the  polynomial  interpolation  technique.  Finally,  it 
may  recover  the  blind  factor  Ys  =  e(g,  gjvs  and  output  the  message  M  if  and  only  if  / 
satisfies  T . 

It  can  be  see  that  ABE  is  also  based  on  pairing-based  cryptography.  Therefore, 
we  can  seamlessly  integrate  pairing-based  ZKP  and  ABE  to  design  a  unified 
authentication  and  data  access  control  system  in  a  single  public  key  cryptography 
context  (i.e.,  using  the  same  elliptic  curve  groups).  We  propose  to  use  the  ABE-based 
fine-grained  distributed  data  access  control  scheme  in  [24],  The  basic  idea  of  the  data 
access  control  scheme  is  follows:  each  network  node  is  preloaded  with  a  set  of 
attributes  as  well  as  the  public  key  PK.  Note  that  the  set  of  attributes  can  be  any 
attribute  that  can  be  utilized  to  describe  data  accessibility  in  a  very  expressive  manner, 
e.g.,  the  type  of  the  network  node,  the  type  of  data,  location,  time  etc.  Each  user  is 
assigned  an  access  structure  and  the  corresponding  secret  key  SK.  The  lifetime  of  the 
airborne  network  is  divided  into  m  stages,  numbering  as  1,  2,  •  •  •,  m.  The  stage 
number  is  reset  to  1  when  it  increases  to  m  +  1 .  Each  period  is  further  divided  into  n 
phases,  numbering  1,2,-  •  •  ,  n,  where  we  set  n  <k,k  =  maxv,e,v  |/,  |. 
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Network  nodes  encrypt  and  store  data  on  the  phase  basis.  For  each  network  node, 
the  data  are  encrypted  by  a  symmetric  encryption  such  as  AES,  and  the  data 
encryption  keys  during  one  stage  form  a  one-way  key  chain,  one  data  encryption  key 
for  each  phase.  The  master  key  of  each  stage  is  always  generated  during  the  preceding 
stage,  and  encrypted  under  the  preloaded  attributes.  Upon  request  for  data,  the 
network  node  responds  with  the  encrypted  master  key  as  well  as  the  ciphertext  of  the 
data.  If  the  user  is  an  intended  receiver,  he  is  able  to  decrypt  the  master  key  and  derive 
the  data  encryption  key,  and  then  obtain  the  data. 

Analysis:  In  the  distributed  data  storage  and  access  system,  each  network  node  is 
assigned  a  set  of  attributes  and  each  user  is  assigned  an  access  structure.  The  proposed 
scheme  has  several  advantages.  First,  data  are  encrypted  under  the  attributes  such  that 
only  the  users  whose  access  structures  “accept”  these  attributes  can  decrypt.  As  the 
access  structure  is  very  expressive  so  that  the  data  access  capability  of  each  user  can 
be  controlled.  Second,  it  is  efficient  in  terms  of  key  storage,  computation,  and 
communication  overhead.  Finally,  it  is  resistant  against  user  collusion,  i.e.,  the 
cooperation  of  colluding  nodes  will  not  lead  to  the  disclosure  of  additional  data. 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 

13 


5.  CONCLUSIONS 


Zero-knowledge  Protocols  (ZKPs)  enable  a  prover  to  convince  a  verifier  of  the  truth 
of  a  statement  without  leaking  any  other  information.  The  main  properties  of  ZKPs 
include  completeness,  soundness  and  zero-knowledge.  These  features  are  correlated 
with  each  other,  and  together  with  the  lighter  computational  requirements,  make 
zero-knowledge  protocols  very  attractive  in  authentication  services  in  airborne 
networks.  Although  useful,  the  non-interactive  zero-knowledge  proofs  based  on 
standard  cryptographic  assumptions  used  to  be  inefficient  and  not  useful  in  practice. 

Recently,  it  has  been  shown  that  the  only  practically  efficient  constructions  of 
non-interactive  zero-knowledge  proofs  that  are  based  on  standard  intractability 
assumptions  come  from  pairing  based-cryptography,  where  a  pairing  is  used  between 
elements  of  two  cryptographic  groups  to  a  third  group  to  construct  cryptographic 
systems.  In  addition,  if  elliptic  curve  (EC)  groups  are  utilized  as  the  cryptographic 
groups,  compared  to  ZKPs  where  the  security  of  the  system  usually  relies  on  the 
hardness  of  the  discrete  logarithm  problem  over  Zn  with  sub-exponential  solving  time, 
solving  the  discrete  log  problem  over  elliptic  curves  takes  exponential  time.  Therefore, 
the  use  of  pairing-based  ZKP  on  elliptic  curves  can  potentially  enhance  the  security 
strength  of  the  system.  Besides  these  advantages,  pairing-based  ZKPs  can  also 
integrate  smoothly  with  other  pairing-based  cryptographic  schemes  (e.g., 
identity-based  encryption,  pairing-based  signatures,  key  agreement,  and  proxy 
re-encryption)  making  the  combined  schemes  quite  efficient. 

So  it  is  envisioned  that  pairing-based  ZKPs  will  have  a  wide  application  in 
constructing  cryptographic  systems  with  various  functionalities.  Under  AFRL 
sponsorship  in  this  research  grant  we: 

1)  Conducted  a  survey  on  the  state  of  the  art  of  pairing-based  ZKPs  with  different 
elliptic  curve  groups,  including  both  interactive  and  non-interactive  ZKPs. 

2)  Investigated  and  compared  the  perfonnance  of  the  pairing-based  ZKP  protocol 
with  other  ZKPs  based  on  different  hard  problems  through  both  theoretical 
analysis  and  extensive  simulations.  Perfonnance  was  evaluated  in  terms  of 
computational  efficiency,  communication  efficiency,  and  security  strength. 

3)  Examined  the  integration  of  pairing-based  ZKP  and  attribute-based  encryption 
(ABE)  for  the  design  of  a  unified  authentication  and  data  access  control  system  in 
a  single  public  key  cryptography  context. 
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4)  Explored  key-policy  attribute-based  encryption  (KP-ABE)  that  cryptographically 
binds  files  to  their  policies  and  seamlessly  integrates  the  access  structure  with 
data  encryption. 

The  results  of  our  investigation  indicate  that  encryption  schemes  employing  Elliptic 
Pairing-based  Zero  Knowledge  Proofs  have  application  in  Tactical  Airborne  Networks  and 
offer  potential  for  enhancing  authentication  protocols. 
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LIST  of  SYMBOLS,  ABBREVIATIONS,  and  ACRONYMS 


ABE 

Attribute-Based  Encryption 

AES 

Advanced  Encryption  Standard 

AN 

Airborne  Networks 

CA 

Central  Authority 

CP 

Ciphertext-Policy 

EC 

Elliptic  Curves 

GQ 

Guillou-Qusquater 

GHz 

Giga  Hertz 

KP 

Key-Policy 

MB 

Mega  Byte 

MK 

Master  Key 

PBC 

Pairing-Based  Cryptology 

PKI 

Public  Key  Infrastructure 

RAM 

Random  Access  Memory 

RPM 

Revolutions-Per-Minute 

SK 

Secret  Key 

SKC 

Symmetric  Key  Cryptology 

VSS 

Verifiable  Secret  Sharing 

ZKP 

Zero-Knowledge  Protocol 
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